The International Systems Audit and Control Association (ISACA) defines information systems (or information technology) auditing as the process which collects and evaluates evidence to determine whether information systems and related resources, adequately safeguards assets, maintain data and system integrity, provide relevant and reliable information, achieve organisational goals effectively, consume resources efficiently and have effective internal controls that provide reasonable assurance that business, operational and control objectives are met.
IS/IT evaluation includes but is not limited to efficiency and security protocols, development processes, and IT governance or oversight. The goal is to evaluate the organisation's ability to protect its information assets and properly dispense information to authorised parties. The IT audit's agenda may be summarised by the following questions:
- Will the organisation's computer systems be available for the business at all times when required? (Availability)
- Will the information in the systems be disclosed only to authorised users? (Confidentiality)
- Will the information provided by the system always be accurate, reliable and timely? (Integrity)
The IT audit focuses on determining risks that are relevant to information assets, and in assessing controls in order to reduce or mitigate these risks. By implementing controls, the effect of risks can be minimized, but it cannot completely eliminate all risks.
It should still be noted that it is also a type of audit and is performed in similar way as the financial audit. IT Audit also requires that you plan for the audit, evaluate and test controls, to obtain necessary evidence and report findings.